John Donovan from Sophos outlines proactive cyber security measures organisations can employ to “prepare for the worst”.
Over the past several years, the Australian government has made it a priority to address the growing level of cyber threats through multiple legislative changes, increased cyber security spending, publicised guidelines and frameworks and ongoing educational initiatives to improve awareness on how to identify and mitigate the risks.
While we’ve recently seen a change of government, this focus on cyber security does not appear to be going anywhere with the appointment of Australia’s first Minister for Cyber Security, Clare O’Neil. What Minister O’Neil does and the current and any new initiatives introduced by the government go a long way to guide organisations on how to protect their businesses from cyber threats. However, these are only guides and should not be seen as a replacement for an organisation’s own cyber security strategies.
Ransomware posing a growing threat to Australian organisations
A recent study by Sophos found 80 per cent of Australian businesses were hit by ransomware last year, up from 45 per cent in 2020. This shows that it is not a matter of if you get hit, but when, and organisations need to be prepared with tools to reduce the risk of attack and a solid plan of action to get business operations back to normal as quickly as possible after an attack.
This preparation could include cyber security insurance; however insurance should only be seen as plan B and part of the recovery process, not as protection from cyber attacks. Thankfully, the evolution of cyber insurance requires organisations to meet stringent requirements to acquire cover, helping to fortify defences and reduce risk of attack in the first place. So, the process of applying for and securing cyber insurance could be considered as providing more value to the organisation than the insurance itself.
The Australian Cyber Security Centre (ACSC) is a good resource for organisations looking for guidance and direction on cyber resilience and good practices. This includes the “Essential Eight”, which provides a starting point for cyber security preparedness, however, as each business is different, business leaders should build on this to develop a strategy that is fit for purpose as it is their duty of care to protect employees, customers and data from cyber threats.
While the ACSC provides education on cyber threats and guidance on how to reduce risk, there is other government legislation to help protect organisations and the country from broader attacks. For example, the Security of Critical Infrastructure Act implemented in July 2018 sets out a framework for protecting critical infrastructure and what steps to take in the event an attack on critical infrastructure occurs. The act also states the government can provide last resort assistance and direction to serious cyber attacks once all other mechanisms have been exhausted.
In addition, the Notifiable Data Breaches Act requires organisations to notify the Office of the Australian Information Commissioner (OAIC) as soon as possible if affected by a data breach. Organisations who fail to respond to, mitigate, notify, or prevent an incident may be listed as breaching the Corporations Act 2001, which makes them liable to fines and consequences.
RI Advice recently became the first company in Australia to be found by the Federal Court to be in breach of licence obligations to “act efficiently and fairly when it failed to have adequate risk management systems to manage its cyber security risks”. As a result, RI Advice was ordered to pay $750,000 to the Australian Securities and Investment Commission (ASIC).
Further afield, organisations are being held accountable for cyber security breaches that have far reaching implications. In the US, the Colonial Pipeline attack has led to Colonial Pipeline facing a US$1 million penalty for its procedural failures.
Organisations that fall victim to ransomware suffer economically whether they choose to pay the ransom or not. Ransom notwithstanding, there are many costs associated with recovering from a successful ransomware attack such as engaging a cyber forensics team, recovering data from backups and rebuilding machines and servers.
According to Sophos data, remediation costs for Australian businesses are on average $1.5 million with Australian organisations taking about one month to recover from an attack. In addition, 83 per cent of organisations had their ability to operate impacted, while 86 per cent reported the ransomware attack caused their organisation to lose business/revenue. This of course doesn’t take into consideration the reputational damage that can also accompany a ransomware attack.
Making the right investment
Alarmingly, some organisations that fall victim to ransomware view paying the ransom as a viable option even when they have other sources of recovery such as backups. Organisations are investing in cryptocurrency as a pre-planned form of payment for future ransomware attacks.
Crypto’s non-traceable transactions make it not only attractive for cyber criminals but could be a tempting option for organisations believing it to be a trail-free way to quickly recover and receive their data back without alerting the authorities.
However, when you consider that among organisations that do pay a ransom, only 4 per cent reported getting all of their data back. This is probably not the best strategy. Instead, organisations should look to invest in cyber security tools and strategies to stop attacks in the first place.
At the end of the day, it’s about getting the basics right and not relying on insurance, the government, or a secret stash of crypto to get you out of trouble. To do this, we recommend:
- Investing in cyber security defence infrastructure across all points in the organisation’s environment. Review security controls regularly and make sure they continue to meet the organisation’s needs.
- Proactively hunt for threats to identify and stop adversaries before they can execute their attack – if the team lacks the time or skills to do this in-house, outsource to a managed detection and response (MDR) specialist.
- Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Extended detection and response (XDR) solutions are ideal for this purpose.
- Prepare for the worst. Know what to do if a cyber incident occurs and keep the plan updated.
- Make backups and practice restoring from them so the organisation can get back up and running as soon as possible, with minimal disruption.
- Educate the whole organisation – from the boardroom to the warehouse – on the risks of cyber threats, how to recognise a threat and what to do if they identify one.
John Donovan is the managing director, ANZ at Sophos.